Unit Within Chinese People’s Liberation Army Linked To Online Spying

Unit 61398, the not-so-secret cyber warfare branch of the Chinese People’s Liberation Army (PLA), might not be working entirely alone.

On Monday CrowdStrike identified another group that has been dubbed Putter Panda, a cyber-espionage team that conducts operations from Shanghai and reportedly works on behalf of the PLA’s 3rd Department 12th Bureau Unit 61486.

CrowdStrike, a US security firm, released a detailed report that casts light on the PLA’s operations in Shanghai, and it found that the PLA’s General Staff Division (GSD) Third Department appeared to be China’s primary SIGINT collection and analysis agency.

The 12th Bureau, Unit 61486, headquartered in Shanghai’s Chabei District, supports China’s space surveillance network. It has been previously reported that Unit 61398 had worked in a 12-story building on the outskirts of the city. That hacking group was unmasked last year by Mandiant, another US-based security firm.

CrowdStrike further determined 12th Bureau, Unit 61486 to be a so-called “adversary group,” which likely has conducted intelligence-gathering operations targeting government, defense, research and technology sectors of the United States since at least 2007. It has specifically targeted space, aerospace and communications sectors including US Defense and European satellite and aerospace industries.

“China’s decade-long economic espionage campaign is massive and unrelenting,” CrowdStrike CEO George Kurtz said in a statement, as reported by CNN. “Through widespread espionage campaigns, Chinese threat actors are targeting companies and governments in every part of the globe.”

The group earned the dubious moniker “Putter Panda” for its gambit of targeting individuals who attended golf conferences. CrowdStrike noted that the group focused their exploits against popular productivity applications including Adobe Reader and Microsoft Office as a way to deploy custom malware via targeted email attacks.

The Putter Panda hackers apparently registered fake domains and even compromised legitimate domains as a way to deliver the malware, and further hid malware in PDF’s of fake businesses delivered via email to employees. Once the malware was in the targeted system it reportedly allowed operators a wide degree of control and even allowed the hackers to install new tools to spy on the compromised systems.

This report from CrowdStrike comes three weeks after the United States charged five Chinese nationals with hacking in an attempt to steal secrets in a number of industries. The officers were identified as Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu, and Gu Chunhui; and they were reportedly officers in Unit 61398 of the Third Department of the Chinese People’s Liberation Army (PLA). Those hacking efforts were reportedly directed at six American firms in the metals, solar product and nuclear power industries.

CrowdStrike reported that it is likely the two Chinese groups communicated and shared information. The security researchers identified Chen Ping, aka cpyy, as a suspected member of the PLA and claimed he was responsible for procurement of the domains associated with operations conducted by Putter Panda. CrowdStrike was able to track down the hacker through various social media and forum websites after it was discovered that many of the fake domains were registered by him.

International Business Times reported, “Cpyy was believed to communicate with hackers via auto enthusiast forums, using code words associated with cars to clue them in on jobs and operations.” He was then traced to working at a building surrounded by satellite dishes and dormitory-style residences.

The New York Times reported that this suspected headquarters for Unit 61486 – located just north of downtown Shanghai in the Zhabei district – was clearly marked as a “military zone,” and that soldiers guarded its entrances. It is topped with wire fencing as well as a moat!

While this may cast a light on Chinese hacking efforts, something Beijing has strongly denied, it is likely to have little impact on actually stopping any cyber warfare efforts.

“The awareness level may be going up,” CrowdStrike’s Kurtz told the New York Times. “But the Chinese are not slowing down. They keep plowing away.”